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L REAL PARTY IN INTEREST (37 C-F*R> § 4l.37(c)(l)(9) 

The Real Party in Interest in. the present Appeal is SRC Knowledge Ventures, 
L,P., the assignee, of patent application no. 10/634,117, as evidenced by the assignment 
set forth at Reel 014326, Frame 0580. 

IL RELATED APPEALS AND INTERFERENCES (37 C.F.R. § 41.37(c)(1)(a)) 

With respect to other appeals or interferences that will directly affect, or be 
directly affected by, or have a bearing on the Board's decision in this appeal, Appellant is 
not aware of any such appeals or interferences, 

in. STATUS OF CLAIMS (37 C.FJR- § 41.37(c)(l)(iif)) 

A. Total Number of Claims in Application 

There are 25 claims pendiag in the application (claims 1, 3-15, and 17-27). 

B. Status of All the Claixos 

Claims 1 7 14, and 15 are independent claims. According to pages 2-7 of the Final 
Office Action dated October 1 8, 2006, the Examiner states that claims 1,3-15, 
and 17-27 stand rejected, and are hereby appealed, Claims 2 and 16 were 
canceled in the Amendment filed September 12, 2006. 

C Claims on Appeal 

There are 25 claims on appeal (claims 1, 3-15 and 17-27). 
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IV. STATUS OF AMENDMENTS (37 CFJL § 4137(c)(l)(iv)) 

The claims hereby Appealed are based on the Amendment filed September 12, 
2006. No amendment was offered or entered after the Final Office Action. 

V. SUMMARY OF THE CLAIMED SUBJECT MATTER (37 C*F*R- § 41.37(c)(l)(v)) 
The subject matter of claim 1 can be summarized as follows: 

A method is disclosed that includes providing a host computer system having at least one 
network interface interfaced with a computer network, operating the host computer system in a 
multi-user mode, and detecting an intrusion event using a system daemon. The method further 
includes, in response to detecting the intrusion event, isolating the at least one network interface 
from the computer network and taking the host computer system down to a single user state so 
that access to the host computer system is limited to physical access at the host computer system. 

Claim I finds support from at least FIGS. 1 and 2 and on page 2, paragraphs 1009 and 
1010 and page 4, paragraph 1018 through page 5, paragraph 1022 of the specification. 

The subject matter of claim 14 can be summarized as follows: 

A method is disclosed that includes providing a host computer system having at least one 
network interface interfaced with a computer network, operating the host computer system in a 
multi-user mode, executing a system daemon on the host computer system, and reading, by the 
system daemon, a configuration file that indicates at least one file in a file system of the host 
computer system to be monitored for intrusion. The configuration file includes a first directive 
type that indicates a directory whose members are to be monitored for intrusion, a second 
directive type that indicates a file to be monitored for intrusion, and a third directive type that 
' indicates another configuration file to be monitored for intrusion. The method further includes 
reading a valid MD5 signature for a monitored file from a database that is located on a second 
computer system isolated physically and programmatically from the host computer system and 
detecting an intrusion event using the system daemon by detecting that an MF>5 signature of the 
monitored file differs from the valid MD5 signature. Additionally, the method includes, in 

2 of 15 US.App.No.: 10/634,117 
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response to detecting the intrusion event, issuing an IFCONFIG down command to the at least 
one network interface to isolate the at least one network interface from the computer network, 
issuing an DSflTl command to an operating system of the host computer system to take the host 
computer system down to a single user state, and writing a log of the intrusion event to a log 
database that is not located on the second computer system- 
Claim 14 finds support from at least FIGS. 1 and 2 and on page 2, paragraphs 1009 and 
10X0 and page 4, paragraph 101 3 through page 5, paragraph 1022 of the specification. 

The subject matter of claim 15 can be summarized as follows: 

A system is disclosed that includes a host computer system having at least one network 
interface interfaced with a computer network. The host computer system operates in a multi-user 
mode and detects an intrusion event using a system daemon- In response to detecting the 
intrusion event, the host computer system isolates the at least one network interface from the 
computer network and takes the host computer system down to a single user state so that access 
to the host computer system is limited to physical access at the host computer system. 

Claim 15 finds support from at least FIGS. 1 and 2 and on page 2, paragraphs 1009 and 
1010 and page 4, paragraph 101S through page 5, paragraph 1022 of the specification. 
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VI. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL (37 CF.R. § 
4137(c)(l)(vi)) 

Claims 1.3-27 are rejected under 35 U.S,C. 103(a) as being anticipated over U.S. 
Patent Publication No. 2004/0049693 ('T>ouglas'0 in view of U.S. Patent No. 6,081,894 
("Mann"). 

VH. ARGUMENT (37 CF.R § 41,37(c)(l)(vii)) 

Appellant respectfully appeals each of the rejections applied against all claims 
now pending on appeal. 

CLAIMS 1 and 3-13 ARE ALLOWABLE OVER DOUGLAS AND MANN 

Appellant respectfully traverses the rejection of claims 1 and 3-13 under 35 
U.S.C.§103(a) over US. Patent Publication No. 2004/0049693 CT>ouglas") in view of U,S- 
Patent No. 6,081,894 ("Mann"), at page 3 of the Final Office Action. The Final Office Action 
acknowledges {Final Office Action, pp. 3-4) that Douglas does not disclose or suggest, "in 
response to detecting an intrusion event, isolating at least one network interface from a computer 
network and taking a host system down to a single user state so that access to the host computer 
system is limited to physical access at the host computer system," as recited by independent 
claim 1. 

The Final Office Action asserts that Mann discloses this feature, citing Mann at col. 3, 
lines 2-5. At the section referenced by the Final Office Action, Mann states: 

When a virus is detected, a data isolator 60, that is responsive to a control signal 
42 from the data comparator 40, isolates the first data channel 22 from the second 
data channel 32. Thus, viruses are detected and prevented from being received by 
the dat^ receiving entity 3 0. 

Mann, coh 3, lines 2-5. Thus, the data isolator of Mann resides between the data receiving entity 
(e.g. 5 personal computer or local area network) and the data sending entity (i.e. the internet). See 
Mann, col. 2, line 61 through col 3, line 7. However, Mann discloses that the data sending 
entity is isolated from the data receiving entity without disrupting normal operation of either 
entity. See Mann, coL 2, lines 30-32 (emphasis added). 

4 of 15 U-S-App.No.: 10^634,117 
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Appellant notes that claim 1 recites "operating the host computer in a multi-user mode" 
and "a host computer system to operate in a multi-user mode," respectively. Additionally, 
independent claim 1 recites 'In response to detecting the intrusion event, isolating the at least one 
network interface from the computer network and taking the host computer system down to a 
single user state so that access to the host computer system is limited to physical access at the 
host computer system." The "single user state" is a different state from normal operation 
("multi-user mode"). Thus, Mann does not disclose or suggest taking the host computer system 
down to a single user state, as recited by independent claim 1. 

The Final Office Action states: 

When the first data channel is isolated from the second data channel, it is obvious that the 
two entities are isolated from each other. Because there are only two entities and they are 
isolated from each other, it is clear that both entities are in single user states. 

The Final Office Action, p- 2- 

The assumption that "it is clear that both entities are in single user states" is incorrect and 
not applicable, since neither the "data isolator" nor the "data receiving entity" of Mann are 
indicated to be in a multi-user state. Moreover, the data sending entity is indicated to be the 
Internet (See Mann* coL 2, lines 62-63), so it is unclear how the data sending entity could ever be 
reduced to a single user state. 

Further, Mann discloses that the isolation is provided without disrupting normal 
operation. See Mann> coL 2, lines 30-32. In direct contrast, claim 1 recites "taking the host 
computer system down to a single user state." Altering the state of the device from a multi-user 
state to a single user state is a disruption of normal operation. Thus, Mann teaches away from 
claim 1. 

Moreover, Mann discloses that the data receiving entity may be a personal computer or a 
local area network. See Mann, col. 2, lines 63-64. Mann provides no indication that the personal 
computer operates in a multi-user mode and provides no indication that the data isolator is 
adapted to take the receiving device down to a single user state. When the receiving device is a 

5 of 15 U-S-App.No.; 10/634,117 



PAGE 11121 * RCVD AT 2/2812007 6:52:24 PM [Eastern Standard Time] ' SVR:USPTO-EFXRF-5/22 * DNIS:2738300 * CSID:5123275575 * DURATION (mm-ss):04-28 



•FEB/28. 2007 5:46PM TOLER SCHAFFER NO. 695 P. 12 

Attorney Docket No.: 1033-TQ0534 

local area network, it is unclear how the local area network may be reduced to a single user state 
without disruption of normal operation. Further, Mann does not disclose or suggest any direct 
action taken with respect to the data receiving entity. Instead, Mann discloses that the data 
isolator isolates the data receiving entity by isolating a first data channel (extending from the 
data sending entity to the data isolator) from a second data channel (extending from the data 
isolator to the data receiving device). See Mann, Figure 1, Abstract, and col. 2, line 61 through 
col. 3, line 5. 

Thus, Mann does not disclose or suggest halting the host computer system down to a 
single user state," as recited by claim 1 > Therefore, Mann fails to overcome the deficiencies of 
Douglas, and the asserted combination of Douglas and Mann fails to disclose or suggest each and 
every element of independent claim 1, and of dependent claims 3-13, at least by virtue of their 
dependency from allowable claim 1. At least for the foregoing reasons, the rejection of claims 1, 
and 3-13 should be withdrawn. 

Additionally, dependent claim 4 provides an additional basis for patentability over the 
cited references. For example, the asserted combination of Douglas and Mann fails to disclose 
or suggest that 'taking the host computer system down to the single user state comprises issuing 
an DSHT1 command to an operating system of the host computer system," as recited by claim 4. 
Instead, neither Douglas nor Mann disclose taking the host computer system down to the single 
user state. Moreover, to the extent that Mann discloses isolation, such isolation is achieved by 
activating a data isolator and without issuing commands to a host computer system. See Mann, 
Figure 1 and Abstract. Thus, Douglas and Mann do not disclose the particular combination of 
claim 4. 

For at least the foregoing reasons, the rejection of claims 1 and 3-13 should be 
withdrawn. 

CLAIMS 15 and 17-27 ARE ALLOWABLE OVER DOUGLAS AND MANN 

Appellant respectfully traverses the rejection of claims 15 and 17-27 under 35 
U.S.C.§ 103(a) over Douglas and Mann, at page 3 of the Final Office Action. The Final Office 

6ofl5 US.App.No.: 10/654,117 
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Action acknowledges (Final Office Action, pp. 3-4) that Douglas does not disclose or suggest, 
"in response to detecting an intrusion event, isolating at least one network interface from a 
computer network and taking a host system down to a single user state so that access to the host 
computer system is limited to physical access at the host computer system," as recited by 
independent claim 15* 

Claim 15 recites a system that includes "a host computer system having at least one 
network interface interfaced with a computer network," where the host computer system is to 
"operate in a multi-user mode," "detect an intrusion event using a system daemon," and "in 
response to detecting the intrusion event, isolate the at least one network interface from the 
computer network and take the host computer system down to a single user state so that access to 
the host computer system is limited to physical access at the host computer system." 

As discussed above with respect to claim 1, the Final Office Action acknowledges that 
Douglas fails to disclose or suggest a system that, "in response to detecting the intrusion event, 
isolate the at least one network interface from the computer netwoik and take the host computer 
system down to a single user state so that access to the host computer system is limited to 
physical access at the host computer system," as recited by claim 15. Mann fails to overcome 
the deficiencies of Douglas, because, not only does Mann disclose isolating the sending and 
receiving entities without disrupting normal operation (See Mann, col 2, lines 30-32), but Mann 
fails to disclose or suggest a "single user state" for the sending or the receiving entities. 
Moreover, Mann fails to disclose or suggest that the data isolation apparatus can operate in a 
multi-user mode. Thus, the asserted combination of Douglas and Mann fails to disclose or 
suggest the particular combination of claim 15. 

Thus, the asserted combination of Douglas and Mann does not disclose or suggest each 
and every element of claim 15, or of claims 17-27 at least by virtue of their dependency from 
allowable claim 15> 

For at least the foregoing reasons, the rejection of claims 15 and 17-27 over Douglas and 
Mann should be withdrawn. 
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CLAIM 14 IS ALLOWABLE OVER DOUGLAS AND MANN 

Appellant respectfully traverses the rejection of claim 14 under 35 U.S.C. §103(a) over 
Douglas in view of Maun at pages 3 and 6 of the Final Office Action. None of the cited 
references, alone or in combination, recite the particular combination of independent claim 14. 

The Fixial Office Action states thai claim 14 "is rejected by Douglas and Mann as applied 
to claims 1-8 and 10/' See Final Office Action, p. 6. However, the Final Office Action fails to 
indicate the particular bases for the rejection, and the Appellant is left to guess as to how the 
Office is interpreting the references to apply to the actual claim language. Appellant notes that 
claim 14 recites: 

A method comprising: 

providing a host computer system having at least one network interface interfaced with a 

computer network; 
operating the host computer system in a multi-user mode; 
executing a system daemon on the host computer system; 

reading, by the system daemon, a configuration file that indicates at least one file in a file 
system of the host computer system to be monitored for intrusion, wherein the 
configuration file comprises a first directive type that indicates a directory whose 
members are to be monitored for intrusion, a second directive type that indicates a 
file to be monitored for intrusion, and a third directive type that indicates another 
configuration file to be monitored for intrusion; 

reading a valid MD5 signature for a monitored file from a database that is located on a 
second computer system isolated physically and piogrammaticaUy from the host 
computer system; 

detecting an intrusion event using the system daemon by detecting that an MD5 signature 

of the monitored file differs from the valid MD5 signature; and 
in response to detecting the intrusion event; 

issuing an IFCONFIG down command to the at least one network interface to isolate the 

at least one network interface from the computer network; 
issuing an EMITI command to an operating system of the host computer system to take 

the host computer system down to a single user state; and 
writing a log of the intrusion event to a log database that is not located on the second 

computer system* 

The cited references, alone or in combination, do not disclose or suggest the particular 
combination of claim 14. For example, as described above, the asserted combination of Douglas 
and Mann fails to disclose or suggest a method that includes "operating the host computer 
system in a multi-user mode" and, '4n response to detecting the intrusion event," 'Issuing an 
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INTTl command to an operating system of the host computer system to take the host computer 
system down to a single user state," as recited in claim 14, 

As previously discussed, Douglas fails to disclose or suggest, in response to detecting an 
intrusion event, taking the host computer down to a single user state. Also, as previously 
discussed, Mann provides no indication that any of the sending entity, the receiving entity, or the 
data isolator operates in a multi-user mode. Further, Mann provides no indication that the data . 
isolator is adapted to take the receiving device down to a single user state. Moreover, Mann does 
not disclose or suggest issuing an INIT1 command to an operating system of the host computer 
system to take the host computer system down to a single user state, as recited by claim 14. 
Instead, Mann provides isolation by providing power to the data isolator to isolate the first data 
channel from the second data channel. See Mann, Abstract, and col. 2, line 61 through col. 3, 
line 5. Thus, the asserted combination of Douglas and Mann fails to disclose or suggest at least 
one element of independent claim 14. Therefore, the rejection of claim 14 should be withdrawn. 

For at least the foregoing reasons, Appellant respectfully submits that the present 
application is in condition for allowance and reconsideration is respectfully requested. 
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VIEL CLAIMS APPENDIX (37 CFJR* § 41.37(c)(l)(viii)) 

The text of each claim involved in the appeal is as follows: 

1. (Original) A method comprising: 

providing a host computer system having at least one network interface interfaced with a 

computer network; 
operating the host computer system in a multi-user mode; 
detecting an intrusion event using a system daemon; and 

in response to detecting the intrusion event, isolating the at least one network interface 

from the computer network and taking the host computer system down to a single 
user state so that access to the host computer system is limited to physical access 
at the host computer system. 

2. (Canceled). 

3. (Original) The method of claim 1 wherein said isolating the at least one network interface 
from the computer network comprises issuing an IFCONFIG down command to the at least one 
network interface. 

4. (Original) The method of claim 1 wherein said taking the host computer system down to the 
single user state comprises issuing an INTT1 command to an operating system of the host 
computer system. 

5. (Original) The method of claim 1 further comprising: 

reading, by the system daemon, a configuration file that indicates at least one file in a file 
system of the host computer system to be monitored for intrusion. 

6. (Original) The method of claim 5 wherein the configuration file comprises a first directive 
typo that indicates a directory whose members are to be monitored for intrusion, a second 
directive type that indicates a file to be monitored for intrusion, and a third directive type that 
indicates another configuration file to be monitored for intrusion. 
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7. (Original) The method of claim 1 further comprising: 

computing a data verification signature for a monitored file in a file system of the host 

computer system; and 
comparing the data verification signature to a valid data verification signature for the 

monitored file; 

wherein said detecting the intrusion event comprises detecting that the data verification 
signature differs from the valid data verification signature. 

8 > (Original) The method of claim 7 wherein the valid data verification signature comprises a 
Message Digest 5 (MD5) signature. 

9. (Original) The method of claim 7 further comprising: 

reading the valid data verification signature for the monitored file from a database that is 
located on a second computer system isolated physically and prograrnmatically 
from the host computer system. 

10/ (Original) The method of claim 9 further comprising: 

writing a log of the intrusion event to a log database that is not located on the host 
computer system or second computer system. 

1 1 . (Original) The method of claim 1 wherein said detecting the intrusion event comprises 
detecting an incorrect permission associated with a file in a file system of the host computer 
system. 

12. (Original) The method of claim 1 wherein said detecting the intrusion event comprises 
detecting an incorrect ownership associated with a file in a file system of the host computer 
system. 

13. (Original) The method of claim 1 wherein said detecting the intrusion event comprises 
detecting that a file no longer exists in a file system of the host computer system. 
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14. (Previously Presented) A method comprising: 

providing a host computer system having at least one network interface interfaced with a 

computer network; 
operating the host computer system in a multi-user mode; 
executing a system daemon on the host computer system; 

reading, by the system daemon, a configuration file that indicates at least one file in a file 
system of the host computer system to be monitored for intrusion, wherein the 
configuration file comprises a first directive type that indicates a directory whose 
members are to be monitored for intrusion, a second directive type that indicates a 
file to be monitored for intrusion, and a third directive type that indicates another 
configuration file to be monitored for intrusion; 

reading a valid MD5 signature for a monitored file from a database that is located on a 
second computer system isolated physically and programmatically from the host 
computer system; 

detecting an intrusion event using the system daemon by detecting that an MD5 signature 

of the monitored file differs from the valid MD5 signature; and 
in response to detecting the intrusion event: 

issuing an IFCONFIG down command to the at least one network interface to isolate the 

at least one network interface from the computer netwoife; 
issuing an fNlTl command to an operating system of the host computer system to take 

the host computer system down to a single user state; and 
writing a log of the intrusion event to a log database that is not located on the second 

computer system. 
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15. (Original) A system comprising: 

a host computer system having at least one network interface interfaced with a computer 

network, the host computer system to: 
operate in a raulti-u$er mode; 

detect an intrusion event using a system daemon; and 

in response to detecting the intrusion event, isolate the at least one network interface from 
the computer network and take the host computer system down to a single user 
state so that access to the host computer system is limited to physical access at the 
host computer system. 

16. (Canceled)i 

17. (Original) The system of claim 15 wherein the host computer system is to isolate the at least 
* 

one network interface from the computer network by issuing an IFCONFIG down command to 
the at least one network interface. 

1 S. (Original) The system of claim 15 wherein the host computer system is taken down to the 
single user state by issuing an INIT1 command to an operating system of the host computer 
system. 

19. (Original) The system of claim 1 5 wherein the host computer system is further to read, by 
the system daemon, a configuration file that indicates at least one file in a file system of the host 
computer system to be monitored for intrusion. 

20. (Original) The system of claim 19 wherein the configuration file comprises a first directive 
type that indicates a directory whose members are to be monitored for intrusion, a second 
directive type that indicates a file to be monitored for intrusion, and a third directive type that 
indicates another configuration file to be monitored for intrusion. 
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21. (Original) The system of claim 15 •wherein the host computer system is further to: 

compute a data verification signature for a monitored file in a file system of the host 

computer system; and 
compare the data verification signature to a valid data verification signature for the 

monitored file; 

wherein the intrusion event is detected by detecting that the data verification signature 
differs from the valid data verification signature. 

22. (Original) The system of claim 21 wherein the valid data verification signature comprises a 
Message Digest 5 (MD5) signature. 

23. (Original) The system of claim 21 further comprising: 

a second computer system isolated physically and programmatically from the host 
computer system; 

wherein the host computer system is to read the valid data verification signature for the 
monitored file from a database that is located on the second computer system. 

24. (Original) The system of claim 23 further comprising: 

a log database not located on the host computer system or the second computer system; 
wherein the host computer system is further to write a log of the intrusion event to the log 
database. 

25. (Original) The system of claim 15 wherein the intrusion event comprises an incorrect 
permission associated with a file in a file system of the host computer system. 

26. (Original) The system of claim 15 wherein the intrusion event comprises an incorrect 
ownership associated with a file in a file system of the host computer system. 

27* (Original) The system of claim 1 5 wherein the intrusion event comprises a file no longer 
existing in a file system of the host computer system. 
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EVIDENCE APPENDIX (37 CF.R. § 41 J7(c)(l)(ix)) 

(N/A) 

RELAXED PROCEEDINGS APPENDIX (37 CF.R. § 41.37(c)<l)(x)) 

•(N/A) ' 

CONCLUSION 

For at least the above reasons, all pending claims are allowable and a notice of 
allowance is courteously solicited. Please direct any questions or comments to the 
undersigned attorney at die address indicated. Appellant respectfully requests 
reconsideration and allowance of all claims and that this patent application be passed to 



Respectfully submitted, 




Date 



Jeffiey G. Toler; Reg. No. 38,342 
Attorney for Appellant 
TOLER SCHAFFER, L.L.P. 
8500 Bluffstone Cove, Suite A201 
Austin, Texas 78759 
(512) 327-5515 (phone) 
(512) 327-5575 (fax) 
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